Changing to text() should avoid this behavior of XSS. Other thing avoid is
any tag of html.
I dont know if this will cause problems with wysiwyg editors working
together with your plugin.
On Thu, Nov 20, 2008 at 15:20, Rik Lomas [EMAIL PROTECTED] wrote:
Thanks Leonardo
On a different forum, it was mentioned that a user could XSS by
entering script type=text/javascriptalert('hello');/script into
a field. Should I set the default to text() instead of html() to get
around this or should I try and filter out any script tags?
Rik
2008/11/20 Leonardo K [EMAIL PROTECTED]:
Interesting idea. Great plugin
On Thu, Nov 20, 2008 at 08:29, [EMAIL PROTECTED] wrote:
Hi guys,
I've just finished my new plug-in called magicpreview:
http://rikrikrik.com/jquery/magicpreview/
It's for use in forms and it automagically updates selected elements
on your page based on your form fields. Perfect for letting your users
see what they're doing when filling in forms. There's a couple of
demos on my site too.
I'd love to hear your feedback and comments on my plug-in.
Thanks,
Rik
--
Rik Lomas
http://rikrikrik.com